<!DOCTYPE html>
<html>

<head>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
	<meta name="theme-color" content="#33474d">
	<title>squid 透明代理配置 | 失落的乐章</title>
	<link rel="stylesheet" href="/css/style.css" />
	
      <link rel="alternate" href="/atom.xml" title="失落的乐章" type="application/atom+xml">
    
</head>

<body>

	<header class="header">
		<nav class="header__nav">
			
				<a href="/archives" class="header__link">Archive</a>
			
				<a href="/tags" class="header__link">Tags</a>
			
				<a href="/atom.xml" class="header__link">RSS</a>
			
		</nav>
		<h1 class="header__title"><a href="/">失落的乐章</a></h1>
		<h2 class="header__subtitle">技术面前，永远都是学生。</h2>
	</header>

	<main>
		<article>
	
		<h1>squid 透明代理配置</h1>
	
	<div class="article__infos">
		<span class="article__date">2017-10-12</span><br />
		
		
			<span class="article__tags">
			  	<a class="article__tag-link" href="/tags/Squid/">Squid</a>
			</span>
		
	</div>

	

	
		<h2 id="什么是透明代理？"><a href="#什么是透明代理？" class="headerlink" title="什么是透明代理？"></a>什么是透明代理？</h2><p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;透明代理的意思是客户端根本不需要知道有代理服务器的存在，它改变你的request fields（报文），并会传送真实IP，多用于路由器的NAT转发中。</p>
<h2 id="透明代理的原理："><a href="#透明代理的原理：" class="headerlink" title="透明代理的原理："></a>透明代理的原理：</h2><ol>
<li>假设A为内部网络客户机</li>
<li>B为外部网络服务器，B提供的服务为httpd服务，监听端口为80</li>
<li>C为代理服务器（也是我们的网关），假如代理服务器提供服务端口为3128</li>
</ol>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;过程： 当A向B的80端口请求数据时，TCP连接请求要先经过C，C看到A请求的是B的80端口时，C由于已经设置了转发规则，所以C会把A的请求80端口转发到自己的3128端口，也就是说A将要直接访问C的3128端口，而非B服务器的80端口，此时，C会先去访问B的80端口，把A要访问B的请求数据先请求过来，保存到C上，然后C再把请求数据吐给A。而在A看来，它貌似是直接请求的B，而实际并非如此。由于这些连接过程是自动的，不需要客户端手工配置代理服务器，甚至用户根本不知道代理服务器的存在，因而对用户来说是透明的。</p>
<h2 id="来配置透明代理："><a href="#来配置透明代理：" class="headerlink" title="来配置透明代理："></a>来配置透明代理：</h2><p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;通过上面的原理分析，可知，只有代理服务器为网关时，才可以实现透明代理的功能，否则无效。实际应用中，透明代理服务器应该有至少两个网卡，第一个网卡连接到外网，或者它可以直接上网，第二个网卡连接的是内部的一个局域网段，也就是想使用代理上网的网段。</p>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;假设，透明代理服务器的网卡1eth0设置IP为 10.2.1.100（可以上网的ip）, 网卡2eth1的ip设置为192.168.19.1，那么要通过透明代理上网的局域网段应该为 192.168.19.0/24，并且在该局域网的客户机应该设置的网关地址为192.168.19.1.</p>
<h3 id="1-安装squid"><a href="#1-安装squid" class="headerlink" title="1.安装squid"></a>1.安装squid</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">yum install -y squid</div></pre></td></tr></table></figure>
<h3 id="2-配置squid"><a href="#2-配置squid" class="headerlink" title="2.配置squid"></a>2.配置squid</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">rm -f /etc/squid/squid.conf</div><div class="line">vim /etc/squid/squid.conf</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;写入如下内容：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div></pre></td><td class="code"><pre><div class="line">http_port 3128 transparent</div><div class="line">acl manager proto cache_object</div><div class="line">acl localhost src 127.0.0.1/32 ::1</div><div class="line">acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1</div><div class="line">acl localnet src 10.0.0.0/8 <span class="comment"># RFC1918 possible internal network</span></div><div class="line">acl localnet src 172.16.0.0/12 <span class="comment"># RFC1918 possible internal network</span></div><div class="line">acl localnet src 192.168.0.0/16 <span class="comment"># RFC1918 possible internal network</span></div><div class="line">acl SSL_ports port 443</div><div class="line">acl Safe_ports port 80 8080 <span class="comment"># http</span></div><div class="line">acl Safe_ports port 21 <span class="comment"># ftp</span></div><div class="line">acl Safe_ports port 443 <span class="comment"># https</span></div><div class="line">acl CONNECT method CONNECT</div><div class="line">http_access allow manager localhost</div><div class="line">http_access deny manager</div><div class="line">http_access deny !Safe_ports</div><div class="line">http_access deny CONNECT !SSL_ports</div><div class="line">http_access allow localnet</div><div class="line">http_access allow localhost</div><div class="line">http_access deny all</div><div class="line">cache_dir aufs /data/cache 1024 16 256</div><div class="line">cache_mem 128 MB</div><div class="line">hierarchy_stoplist cgi-bin ?</div><div class="line">coredump_dir /var/spool/squid</div><div class="line">refresh_pattern ^ftp: 1440 20% 10080</div><div class="line">refresh_pattern ^gopher: 1440 0% 1440</div><div class="line">refresh_pattern -i (/cgi-bin/|\?) 0 0% 0</div><div class="line">refresh_pattern \.(jpg|png|gif|mp3|xml) 1440 50% 2880 ignore-reload</div><div class="line">refresh_pattern . 0 20% 4320</div></pre></td></tr></table></figure>
<h3 id="3-创建缓存目录，并修改权限"><a href="#3-创建缓存目录，并修改权限" class="headerlink" title="3.创建缓存目录，并修改权限"></a>3.创建缓存目录，并修改权限</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">mkdir /data/cahce; chown -R squid:squid /data/cache</div></pre></td></tr></table></figure>
<h3 id="4-初始化缓存目录"><a href="#4-初始化缓存目录" class="headerlink" title="4.初始化缓存目录"></a>4.初始化缓存目录</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">squid -z</div></pre></td></tr></table></figure>
<h3 id="5-启动squid"><a href="#5-启动squid" class="headerlink" title="5.启动squid"></a>5.启动squid</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">service squid start</div></pre></td></tr></table></figure>
<h3 id="6-打开端口转发"><a href="#6-打开端口转发" class="headerlink" title="6.打开端口转发"></a>6.打开端口转发</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="built_in">echo</span> <span class="string">"1"</span> &gt; /proc/sys/net/ipv4/ip_forward</div></pre></td></tr></table></figure>
<h3 id="7-设置防火墙规则"><a href="#7-设置防火墙规则" class="headerlink" title="7. 设置防火墙规则"></a>7. 设置防火墙规则</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</div><div class="line">iptables -t nat -A PREROUTING -p tcp -s 192.168.19.0/24 --dport 80 -j REDIRECT --to-ports 3128</div></pre></td></tr></table></figure>

	

	
		<span class="different-posts"><a href="/2017/10/12/Squid/8. squid 透明代理配置/" onclick="window.history.go(-1); return false;">⬅️ Go back </a></span>

	

</article>

	</main>

	<footer class="footer">
	<div class="footer-content">
		
	      <div class="footer__element">
	<p>Hi there, <br />welcome to my Blog glad you found it. Have a look around, will you?</p>
</div>

	    
	      <div class="footer__element">
	<h5>Check out</h5>
	<ul class="footer-links">
		<li class="footer-links__link"><a href="/archives">Archive</a></li>
		
		  <li class="footer-links__link"><a href="/atom.xml">RSS</a></li>
	    
		<li class="footer-links__link"><a href="/about">about page</a></li>
		<li class="footer-links__link"><a href="/tags">Tags</a></li>
		<li class="footer-links__link"><a href="/categories">Categories</a></li>
	</ul>
</div>

	    

		<div class="footer-credit">
			<span>© 2017 失落的乐章 | Powered by <a href="https://hexo.io/">Hexo</a> | Theme <a href="https://github.com/HoverBaum/meilidu-hexo">MeiliDu</a></span>
		</div>

	</div>


</footer>



</body>

</html>
